JIRA is Unable to Use NTLM Authentication

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

このページの内容は、Jira アプリケーションでサポートされていないプラットフォームに関連しています。したがって、アトラシアンは、そのためのサポートの提供を保証できません 。この資料は情報提供のみを目的としているため、お客様自身の責任でご使用ください。


症状

When attempting to integrate a NTLM proxy within JIRA, any of the below can occur:

  1. JIRA will be unable to access the Atlassian Marketplace through the Universal Plugin Manager.
  2. Fisheye application links may not work.
  3. Support Tools (Hercules scan) will be unable to run as it cannot fetch the require metadata.
  4. Built-in feedback will no longer work.
  5. 'What's new' gadget will not be able to retrieve information.
  6. The below JVM arguments may not be recognised:
    -Dhttp.proxyHost
    -Dhttp.nonProxyHosts
    -Dhttp.proxyPort
    -Dhttp.proxyUser
    -Dhttp.proxyPassword
    -Dhttp.auth.ntlm.domain

atlassian-jira.log に次のエラーが返されます。

2012-06-22 11:22:22,363 StreamsCompletionService::thread-3 ERROR bmills 681x247x6 1ku2b0i 10.128.49.73 /plugins/servlet/streams [apache.commons.httpclient.HttpMethodDirector] Credentials cannot be used for NTLM authentication: org.apache.commons.httpclient.UsernamePasswordCredentials
org.apache.commons.httpclient.auth.InvalidCredentialsException: Credentials cannot be used for NTLM authentication: org.apache.commons.httpclient.UsernamePasswordCredentials
	at org.apache.commons.httpclient.auth.NTLMScheme.authenticate(NTLMScheme.java:331)
	at org.apache.commons.httpclient.HttpMethodDirector.authenticateProxy(HttpMethodDirector.java:319)
	at org.apache.commons.httpclient.HttpMethodDirector.authenticate(HttpMethodDirector.java:231)
	at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:169)
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
	at com.atlassian.sal.core.net.HttpClientRequest.executeMethod(HttpClientRequest.java:479)
	at com.atlassian.sal.core.net.HttpClientRequest.executeAndReturn(HttpClientRequest.java:306)
	at com.atlassian.plugins.rest.module.jersey.JerseyRequest.executeAndReturn(JerseyRequest.java:158)
	at com.atlassian.applinks.core.auth.ApplicationLinkRequestAdaptor.execute(ApplicationLinkRequestAdaptor.java:85)
	at com.atlassian.streams.internal.AppLinksActivityProvider.fetch(AppLinksActivityProvider.java:416)
	at com.atlassian.streams.internal.AppLinksActivityProvider.access$200(AppLinksActivityProvider.java:96)
	at com.atlassian.streams.internal.AppLinksActivityProvider$1.call(AppLinksActivityProvider.java:178)
	at com.atlassian.streams.internal.AppLinksActivityProvider$1.call(AppLinksActivityProvider.java:170)
	at com.atlassian.streams.internal.FeedBuilder$ToFeedCallable$1.call(FeedBuilder.java:115)
	at com.atlassian.streams.internal.FeedBuilder$ToFeedCallable$1.call(FeedBuilder.java:110)
	at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
	at java.util.concurrent.FutureTask.run(Unknown Source)
	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
	at java.util.concurrent.FutureTask.run(Unknown Source)
	at com.atlassian.util.concurrent.LimitedExecutor$Runner.run(LimitedExecutor.java:96)
	at com.atlassian.sal.core.executor.ThreadLocalDelegateRunnable.run(ThreadLocalDelegateRunnable.java:34)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)

原因

Currently JIRA and Stash does not support all implementations of integration with NTLM proxies and due to this certain areas of JIRA will not function fully when using one. For further information, please take a look at the below issues:

  • Fisheye: FISH-436 
  • JIRA: JRA-2398 - Getting issue details... STATUS
  • Universal Plugin Manager:  UPM-1104 - Getting issue details... STATUS
  • Shared Access Layer:  SAL-166 - Getting issue details... STATUS

回避策

As you can see from past comments: here and here, customers reported success by following the steps below:

  • Install Cntlm Authentication Proxy locally to their JIRA/Stash server
  • Configured and tested it to make sure "Cntlm" works with their corporate NTLM and then used the parameters

    How to test Cntlm is working with your NTLM

    cntlm.ini でユーザー、ドメイン、およびプロキシ情報を更新し、次のコマンドでプロキシをテストします (Cntlm のインストール フォルダで実行します)。

    cntlm -c cntlm.ini -I -M http://google.ro
    

    パスワードが確認され、必要な認証情報が表示されるはずです。これは cntlm.ini に保存する必要があります。

    cntlm.ini の例

    Username            user
    Domain              domain
    
    # provide actual value if autodetection fails
    # Workstation         pc-name
    
    Proxy               my_proxy_server.com:80
    NoProxy             127.0.0.*, 192.168.*
    
    Listen              127.0.0.1:54321
    Listen              192.168.1.42:8080
    Gateway             no
    
    SOCKS5Proxy         5000
    # provide socks auth info if you want it
    # SOCKS5User          socks-user:socks-password
    
    # printed authentication info from the previous step
    Auth            NTLMv2
    PassNTLMv2      98D6986BCFA9886E41698C1686B58A09
    

    注: Linux の場合、構成ファイルは cntlm.conf です

  • Have the configuration described on Configure an outbound proxy for use in Jira server point to the local "Cntlm" proxy instead - and that one will do the job to talk to NTLM.

There are no other current workarounds for Fisheye - please see FISH-436 for further information.

 

最終更新日 2018 年 11 月 2 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.